Machine Authentication and the login process

We currently use both machine and user authentication using EAP-MSCHAPv2.

When machine authentication occurs, a limited role gets passsed back that allows the machine basic access to network resources.

I am finding more and more that there is a delay in the transition from machine auth to user auth resulting in connectivity issues for the user. Often times the login scripts can't map network drives because there is no access to the file servers at the time that the login scripts run. This is because user authentication has not yet occurred leaving the client in the machine authenticated role.

I am curious if others have experienced this and how you dealt with it? Do you use two roles, one for machine and one for users? Do you only do machine authentication? Are both roles open?

Some additional observations:

We have a lot of Dell devices and it seems we are experiencing increasing issues with these devices in particular.

Radius timeouts are a big contributor to this behavior. Currently have an open case with Aruba about this. But I do not believe this is the only issue.

Re: Machine Authentication and the login process

Any suggestions on what things I should make sure are open? Should I be focusing on ports? Or access to specific servers?

Currently, there is full access to all of the domain controllers, DNS, DHCP, our anti-virus server, our computer management server, and a few other things.

A good place to start would probably be to run the 'show datapath session table ...' command to capture what is going on on the client during the transition and then open anything that is being denied (within reason)?